Full Disclaimer:
https://www.linkedin.com/feed/update/urn:li:activity:7290731490089271296/
Some people have expressed concerns that I speak like I'm part of the US Government. For the record: I am not part of the US Government nor do I speak on behalf of or represent the US Government.
I am simply a citizen of the US that volunteers on a few US Government public-private partnership initiatives such as the ICT_SCRM Task Force and two SRMA's (CMSCC, HSCC) and I spend a lot of time in meetings discussing and learning about cybersecurity topics.
From: open-regulatory-compliance <open-regulatory-compliance-bounces@xxxxxxxxxxx> On Behalf Of Dick Brooks via open-regulatory-compliance
Sent: Wednesday, February 5, 2025 2:28 PM
To: 'Open Regulatory Compliance Working Group' <open-regulatory-compliance@xxxxxxxxxxx>
Cc: Dick Brooks <dick@xxxxxxxxxxxxxxxxxxxxxxxxx>; 'Christopher Robinson' <christopher.robinson@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [open-regulatory-compliance] FYI: New initiative from LF
Hi Scott,
I spoke with CRob earlier today and I was informed that collaboration is indeed occurring between OpenSSF and Eclipse Foundation with regard to EU-CRA work on vulnerability reporting.
I’ve offered to work with OpenSSF and Eclipse on the EU-CRA initiatives and bring the information back into my circles working along side US government entities, i.e. CISA public-private partnerships ( https://cisa.gov/sag ) and some Agencies:
https://www.nasa.gov/wp-content/uploads/2024/08/nasas-secure-software-development-self-attestation-collaboration-opportunity-20240731-113203-meeting-recording.mp4
I’ve worked on similar collaborations in the past between the US and EU, i.e. ISO 15000-2/OASIS ebXML/IEC TC57 WG 16 that have proven successful.
I spent two years working with the EU Energy industry, mostly with EirGrid in Ireland.
Even with the changes underway in the US Administration I’m optimistic that good things can happen, with respectful collaborations.
Cybersecurity is a global risk and it’s going to take teamwork to succeed.
Hi Dick,
From the project lead/open source steward point of view this initiative appears appealing (under next steps...tools, processes, best practices, compliance resources for upstream OSS projects, etc).
I had thought that the ORC WG (sig?) was working collaboratively with OpenSSF and/or Linux Foundation (Europe I guess from docs)...is that incorrect?
Scott
On 1/31/2025 6:43 AM, Dick Brooks via open-regulatory-compliance wrote:
https://www.linuxfoundation.org/press/openssf-and-lf-europe-launch-cra-initiative
Not sure what this means for the broader open source software community, but will be interesting to see where this goes.
I certainly agree with this statement:
Cybersecurity is a matter of global concern. I am excited to see efforts like the EU’s CRA come online as it touches on topics we've been working to embed within organizations’ cybersecurity practices for decades," said Christopher “CRob” Robinson, Chief Security Architect of the OpenSSF.
Thanks,
Dick Brooks

Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
Risk always exists, but trust must be earned and awarded.™
https://businesscyberguardian.com/
Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx
Tel: +1 978-696-1788
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org